Security in the Ether

Security in the Ether

the very term cloud computing might better be replaced by swamp computing. He later explained that he meant consumers should scrutinize the cloud industry’s breezy security claims: “My remark was not intended to say that cloud computing really is ‘swamp computing’ but, rather, that terminology has a way of affecting our perceptions and expectations. Thus, if we stop using the phrase cloud computing and started using swamp computing instead, we might find ourselves being much more inquisitive about the services and security guarantees that ‘swamp computing providers’ give us.”

4. Once the malicious VMs were on the same server as the victim’s VMs, the researchers were able to show they could monitor the victim’s use of computing resources. They said outright data theft would also be possible, though they didn’t take this step.Source: Ristenpart et al, 2009. “Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds.” In the Proceedings of the 16th ACM Conference on Computer and Communications Security.

A similar viewpoint, if less colorfully expressed, animates a new effort by NIST to define just what cloud computing is and how its security can be assessed. “Everybody has confusion on this topic,” says Peter Mell; NIST is on its 15th version of the document defining the term. “The typical cloud definition is vague enough that it encompasses all of existing modern IT,” he says. “And trying to pull out unique security concerns is problematic.” NIST hopes that identifying these concerns more clearly will help the industry forge some common standards that will keep data more secure. The agency also wants to make clouds interoperable so that users can more easily move their data from one to another, which could lead to even greater efficiencies.

Given the industry’s rapid growth, the murkiness of its current security standards, and the anecdotal accounts of breakdowns, it’s not surprising that many companies still look askance at the idea of putting sensitive data in clouds. Though security is currently fairly good, cloud providers will have to prove their reliability over the long term, says Larry Peterson, a computer scientist at Prince­ton University who directs an Internet test bed called the PlanetLab Consortium. “The cloud provider may have appropriate security mechanisms,” Peterson says. “But can I trust not only that he will protect my data from a third party but that he’s not going to exploit my data, and that the data will be there five years, or 10 years, from now? Yes, there are security issues that need attention. But technology itself is not enough. The technology here may be out ahead of the comfort and the trust.”

Cloud infrastructure: More and more computing services are being delivered over the Internet. Behind the technology are huge remote data centers like these two football-field-sized buildings that Google operates in The Dalles, OR, shown during their construction four years ago.

In a nondescript data center in Somerville, MA, just outside Boston, lies a tangible reminder of the distrust that Petersonis talking about. The center is owned by a small company called 2N+1, which offers companies chilled floor space, security, electricity, and connectivity. On the first floor is a collection of a dozen black cabinets full of servers. Vincent Bono, a cofounder of 2N+1, explains these are the property of his first client, a national bank. It chose to keep its own servers rather than hire a cloud. And for security, the bank chose the tangible kind: a steel fence.

Encrypting the Cloud

Cloud providers don’t yet have a virtual steel fence to sell you. But at a minimum, they can promise to keep your data on servers in, say, the United States or the European Union, for regulatory compliance or other reasons. And they are working on virtual walls: in August, Amazon announced plans to offer a “private cloud” service that ensures more secure passage of data from a corporate network to Amazon’s servers. (The company said this move was not a response to the research by the San Diego and MIT group. According to Adam Selipsky, vice president of Amazon Web Services, the issue was simply that “there is a set of customers and class of applications asking for even more enhanced levels of security than our existing services provided.”)

Meanwhile, new security technologies are emerging. A group from Microsoft, for example, has proposed a way to prevent users of one virtual